mgeeky
/ urbandoor.cs
Created
April 11, 2023 08:23
— forked from monoxgas/urbandoor.cs
Minimal PoC code for Kerberos Unlock LPE (CVE-2023-21817)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using NtApiDotNet; | |
| using NtApiDotNet.Ndr.Marshal; | |
| using NtApiDotNet.Win32; | |
| using NtApiDotNet.Win32.Rpc.Transport; | |
| using NtApiDotNet.Win32.Security.Authentication; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server; | |
| using NtApiDotNet.Win32.Security.Authentication.Logon; | |
| using System; |
mgeeky
/ adodb_stream_for_hta.js
Created
March 6, 2023 19:05
— forked from rndomhack/adodb_stream_for_hta.js
Create ADODB.Stream object for HTA (mode IE9, IE10)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var fso = new ActiveXObject("Scripting.FileSystemObject"); | |
| var ado = (function() { | |
| if (typeof window === "undefined") { | |
| return new ActiveXObject("ADODB.Stream"); | |
| } else { | |
| var _GetObject = (typeof GetObject === "function") ? GetObject : (function() { | |
| var script = window.document.createElement("script"); | |
| script.setAttribute("language", "VBScript"); | |
| script.innerHTML = "Function GetObjectHelper(name)\nSet GetObjectHelper = GetObject(name)\nEnd Function"; | |
| window.document.body.appendChild(script); |
mgeeky
/ loadlibrary_system.c
Created
March 2, 2023 17:57
— forked from rossy/loadlibrary_system.c
Safe LoadLibrary for DLLs that are expected to be in system32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <wchar.h> | |
| #define LOAD_LIBRARY_SEARCH_SYSTEM32 (0x00000800) | |
| HMODULE loadlibrary_system(const wchar_t* name) | |
| { | |
| /* If running on Windows 8 or a system with KB2533623, LoadLibraryEx with | |
| LOAD_LIBRARY_SEARCH_SYSTEM32 does the right thing */ | |
| if (GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "AddDllDirectory")) |
mgeeky
/ KeePass-Export-Trigger.xml
Last active
January 26, 2023 19:33
KeePass Export Database Trigger XML - aka CVE-2023-24055 aka KeeThief . Insert this XML into %APPDATA%\Roaming\KeePass\KeePass.config.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <TriggerCollection | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> | |
| <Triggers> | |
| <Trigger> | |
| <Guid>Ab8CqzeKQUuKdzTx4tKy7A==</Guid> | |
| <Name>Debug</Name> | |
| <Events> | |
| <Event> | |
| <TypeGuid>5f8TBoW4QYm5BvaeKztApw==</TypeGuid> |
mgeeky
/ msteams-token.js
Created
January 12, 2023 00:47
— forked from X-C3LL/msteams-token.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Obtain teams token - you can reuse it for GoMapEnum for example | |
| // Author: Juan Manuel Fernandez (@TheXC3LL) | |
| const puppeteer = require('puppeteer'); | |
| (async () => { | |
| console.log("\t\tMS Teams Token Generator - @TheXC3LL\n\n"); | |
| const username = process.argv[2]; | |
| const password = process.argv[3]; | |
| console.log("[*] Using credentials: %s:%s", username, password); |
mgeeky
/ FreshyCalls-VBA.vba
Created
January 12, 2023 00:44
— forked from X-C3LL/FreshyCalls-VBA.vba
Retrieving SSN for syscalling in VBA following FreshyCalls technique
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Proof of Concept: retrieving SSN for syscalling in VBA | |
| ' Author: Juan Manuel Fernandez (@TheXC3LL) | |
| 'Based on: | |
| 'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ | |
| 'https://www.crummie5.club/freshycalls/ | |
| Private Type LARGE_INTEGER |
mgeeky
/ Configure-ASR.ps1
Created
December 28, 2022 12:13
A little script that configures all Microsoft Defender Attack Surface Reduction (ASR) rules at once to a specific state. Example: PS> .\Configure-ASR.ps1 -State Enabled
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -RunAsAdministrator | |
| <# | |
| .SYNOPSIS | |
| Script used to manage state of Microsoft Defender's Attack Surface Redution rules. | |
| Configures all ASR rules into mode defined in -State parameter. | |
| .PARAMETER State | |
| Tells how to configure all ASR rules available. Valid options: | |
| - Disable (Disable the ASR rule) |
mgeeky
/ PEB.cs
Created
October 24, 2022 14:28
— forked from TetteDev/PEB.cs
Unlinking Module from PEB with c# (64bit tested only)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public unsafe static bool UnlinkModuleFromPeb(IntPtr hModule) | |
| { | |
| if (hModule == IntPtr.Zero) return false; | |
| PEB* peb = Get_PEB(); | |
| if (peb == null) return false; | |
| LIST_ENTRY* CurrentEntry = peb->Ldr->InLoadOrderModuleList.Flink; | |
| Debug.Assert(CurrentEntry != null); |
mgeeky
/ gist:a7dd62dd86205ad19c7365037508bb76
Created
October 10, 2022 11:15
— forked from ThunderGunExpress/gist:d221b316c94c4b7403f3179292c23ccb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //All credit goes to Ysoserial.net and the great @tiraniddo | |
| //Snippets copied from ysoserial.net | |
| //https://thewover.github.io/Mixed-Assemblies/ - Great read! | |
| //https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Runtime.Serialization.Formatters.Binary; | |
| using System.IO; | |
| using System.Reflection; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * fork.c | |
| * Experimental fork() on Windows. Requires NT 6 subsystem or | |
| * newer. | |
| * | |
| * Copyright (c) 2012 William Pitcock <nenolod@dereferenced.org> | |
| * | |
| * Permission to use, copy, modify, and/or distribute this software for any | |
| * purpose with or without fee is hereby granted, provided that the above | |
| * copyright notice and this permission notice appear in all copies. |